07-17-2024 07:19 PM - edited 07-17-2024 09:09 PM
Hello Cisco ISE lover,
I have plan for Cisco ISE (low impact mode) integrates with Windows Hello for business , in the term of authentication (User first Log-on with PIN or Biometric finger scan/Facial).
By feasibility study, we use EAP-FAST [TLS (Machine)+MSCHAPv2(User Authenticate)]
Has anyone experienced this use case, or any suggestion?
07-17-2024 11:07 PM
i would suggest using TEAP
you can use cert for machine and user/password for user or cert for both..
07-18-2024 03:28 PM
You cannot use MSCHAPv2 in conjunction with Windows Hello. The supplicant has no way to take the Hello input (PIN, for example) and translate that to a username/password to present in the 802.1x response.
If you want to use Windows Hello, you must use a certificate-based authentication - EAP-TLS, TEAP(EAP-TLS)
07-18-2024 07:38 PM
Thank for your solution, and great idea which relies on certificate.
what about challenging with External Identity like AD to authenticate trusted machine/user identity?
07-18-2024 08:46 PM
the certificate identity obtained from the cert, which is generally UPN user@domain.com can be be looked up in AD/LDAP to verify that is a valid user,and user/group attributes can be retrieved for authorization to provide differentiated authorization policy per group (or user).
07-18-2024 09:40 PM
As my experience, UPN define the most is machine under domain joined after selected source sequence, not for user@domain.com in AD.
Correct me if i am wrong.
07-19-2024 03:32 PM
It depends on how the supplicant is configured. See this explanation and example...
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835
I have Win 10 and 11 instances in my lab that use TEAP(EAP-TLS) or EAP-TLS with User or Computer authentication and they work perfectly with Windows Hello PIN login.
07-19-2024 07:32 PM
UPN is used a lot for user as well and for Azure / Entra, that is generally a requirement.
07-18-2024 08:47 PM
i havent tested with windows hello, but i think if you disabled use windows login credentials for dot1x , it could prompt the user for creds ? ofcourse, certs are the best
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide